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Abstract. Intuitively, an (implementation) automata is simulated by a (speci- 
fication) automata if every externally observable transition by the implementa- 
tion automata can also be made by the specification automata. In this work, we 
present a symbolic algorithm for the simulation-checking of timed automatas. 
We first present a simulation-checking procedure that operates on state spaces, 
representable with convex polyhedra, of timed automatas. We then present tech- 
niques to represent those intermediate result convex polyhedra with zones and 
make the procedure an algorithm. We then discuss how to handle Zeno states 
in the implementation automata. Finally, we have endeavored to realize the 
algorithm and report the performance of our algorithm in the experiment. 

Keywords: simulation, implementation, refinement, dense-time, real-time, embedded, 
model-checking, verification, events 

1 Introduction 

In the last two decades, we have witnessed significant progress in both theory and ap- 
plications of the formal verification of real-time systems. Especially, the technology of 
dense-time system model- checking [1] has been well-received by the academia, realized 
with many tools [8,19,22], and used for the verification of several industrial projects [6]. 
With model-checking, we represent the implementation as an automata (state-transition 
diagram or table) and the specification as a temporal logic formula and want to check 
whether the implementation satisfies the specification. However, we have to admit that 
the promise of the model-checking technology of real-time systems has not been ful- 
filled yet. One reason is that engineers are not trained in writing formulas in temporal 
logics, like TCTL (Timed Computational- Tree Logic) [1]. In many applications, engi- 
neers may also envision their specifications as automatas. With model-checking, it is 
usually difficult to completely and correctly represent a specification automata as a 
set of logic formulas. There arc two common frameworks for checking implementation 
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automatas against specification ones. The first is the language inclusion problem which 
checks if all runs of an implementation arc also those of the specification. It was proved 
in [3] that when both the implementation and specification are represented as timed 
automatas (TA ) [3], the language inclusion problem is undccidable. The second is called 
the simulation- checking problem that intuitively checks if every transition that can be 
performed by the implementation can also be matched by the specification at the same 
instant. (Formal definition in page 4.) It has been proved that the simulation checking 
problem of TAs is in EXPTIME [18]. However, the algorithms in the literature are 
cither based on region graph analysis [1] of the product of the implementation and the 
specification TAs [18] or based on time-abstraction [13], which does not preserve the 
timing properties. In this work, we have the following contributions. 

• A symbolic procedure that checks for the simulation relation between dense-time 
systems. The procedure handles convex polyhcdra in dense spaces of variables and 
straightforwardly falls in the realm of state-representation manipulation of linear 
hybrid automatas (LHA ) [2] . Thus the procedure is good for the simulation-checking 
of both LHAs and TAs. 

• Techniques to implement the above-mentioned procedure with zone-technology. In 
general, the manipulation of convex polyhedra can be very complex and the verifi- 
cation problem of LHAs is undecidable. As a special subclass of LHAs, the state- 
spaces of TAs can be efficiently represented and manipulated with zones 1 [14] . In 
section 6, we present techniques to represent the intermediate results of the above- 
mentioned procedure with zones. The techniques effectively make the procedure a 
symbolic algorithm. 

• A technique to handle Zeno states in simulation checking. A Zeno state is one 
from which no computation yields divergent computation time. Intuitively, if the 
implementation TA can transit to a Zeno state, such a transition need not be 
matched by the specification TA and should not affect the answer to the simulation- 
checking problem. In section 7, we present a lemma that helps us extending our 
simulation-checking algorithm to handle Zeno states in the implementation TAs. 

We have realized our algorithm and techniques with TCTL model-checker RED, ver- 
sion 7. Following is our presentation plan. Section 2 discusses related work. Section 3 
defines our modeling language, TAs extended with event notations. Section 4 gives 
the definition and symbolic representation of the simulation relation between two TAs. 
Section 5 derives a symbolic procedure out of the definition of simulation relation. Sec- 
tion 6 discusses how to implement the procedure in section 5 with zones. Section 7 
discusses how to filter out false negation from Zeno states of the implementation TA. 
Section 8 reports our program and the experiment. Section 9 is the conclusion. 



A zone is a conjunction of atomic propositions and constraints like either x — y < c or 
x — y < c where x, y are either zero or clocks and c is an integer constant. 
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2 Related work 



Cerans showed that the bisimulation-checking problem of timed processes is decidable 
[9] . Ta§iran et al showed that the simulation-checking problem of TAs is in EXPTIME 
[18]. They also proposed an algorithm to check whether a location homomorphism 
between an implementation TA and a specification TA preserves timed behaviors . 
However, there is no general strategy to efficiently construct such homomorphisms. In 
comparison, our approach is purely algorithmic and automatic. 

Hcnzinger et al presented an algorithm that computes the time-abstract simulation 
that does not preserve timed properties [13]. 

Nakata also discussed how to do symbolic bisimulation checking with integer-time 
labelled transition systems [16]. Beyer has implemented a refinement-checking algo- 
rithm for TAs with integer-time semantics [7]. In comparison, our algorithm is for 
dense-time semantics. 

Lin and Wang presented a complete and sound proof system for the equivalence of 
TAs with dense-time semantics [15]. Usually, the proofs may need human guidance. 

Aceto et al constructed a modal logic formula that completely characterizes a TA [4] . 
Thus the simulation checking problem can be reduced to the model-checking problem. 
However, the formula they constructed is not for TAs with timed invariance constraints 
and does not handle the effect of Zcno states. In a sense, our formula (A) in defini- 
tion 4 is also such a formula for TA with timed invariance constraints. Specifically, 
their characteristic formula is also of greatest fixpoint in nature and falls in the realm 
of LHA verification. It is not clear whether they can efficiently evaluate such character- 
istic formulas. In contrast, we have proposed and implemented the simulation-checking 
algorithm with zone technology. 

3 A modeling language of dense-time systems 

We need the following notations for convenience of presentation. Given a set P of 
atomic propositions and a set X of clocks, we use B(P,X) as the set of all Boolean 
combinations of atoms of the forms p and x ~ c, where p € P, x G X U {0}, '~' is one 
of <, <, =, >, >, and c is an integer constant. An element in B(P,X) is called a state 
predicate. 

A valuation of a set Y ( domain ) is a mapping from Y to a codomain. A partial val- 
uation is undefined for some elements in the domain. When it is not said specifically, a 
valuation means a total valuation that assigns a value to every element in the domain. 
A valuation v satisfies a state-predicate ?y, in symbols v (= rj, if the state-predicate eval- 
uates to true when all its variables are interpreted according to v. Given two (partial) 
valuations 77 and II' on domain Y, nil' is a new valuation defined in the following 
way. For all y G Y, 
• if n'(y) is defined, 7777' (y) = 7T'(y); 
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(a) Ai with Hi : (q — A n < 5) V (g = 1 A ari < 10) (b) A 2 with ff 2 : (l = A 12 < 5) V (q = 1 A x 2 < 5) 



Fig. 1. Two example TEAs 

• else if n'(y) is undefined and EI(y) is defined, 7777'(y) = EI(y); 

• else 7777' (y) is undefined. 

We use the following extension of TA [3] for the modeling language in this work. 

Definition 1. timed event-automata (TEA) A timed event- automata (TEA) A is 
a tuple (£, X, G, L, 7, 77, E, e, r, ir) with the following restrictions. E is a finite set of 
event names. X is a finite set of clocks. G is a finite set of global atomic propositions. 
G and S represent the set of external observablcs of a TEA. 7 is a finite set of local 
atomic propositions such that G H 7 = 0. 7 G 77(G U L,X) is the initial condition. 
77 G B(GUL, X) is the invariance condition. 75 is the finite set of transitions, e : E i— > 2 s 
labels each rule with a set of input/output events, r : E i— > 77(G U L,X) defines the 
triggering condition of each rule execution. For each e G 7?, 7r(e) is a partial valuation 
from X to {0} and from GUL to {true, false} that defines the assignments to clocks and 
proposition variables of each rule execution. If n(e)(y) is undefined, it means variable 
y stays unchanged in the transition. 

For convenience, we assume that for every TEA, there is a null transition _L such 
that e(_L) = 0, t(_L) = true, and 7r(_L) is undefined on everything. ■ 

Example 1. We have the transition diagrams of two example TEAs in figure 1. They 
share events send and receive and global proposition q. They respectively have local 
clocks x\ and X2- A\ has two transitions while A2 has four. We stack the events, trig- 
gering conditions, and the assignments made at each transition. The initial conditions 
are labeled by the arcs without a source. ■ 
Let N be the set of non-negative integers and R-° the set of non-negative reals. 

Definition 2. States of a TEA A state of TEA A is a total valuation from X to 
M-° and G U 7 to {true, false}. Let Va denote the set of states of A. For any state 
v and S G M.-, v + S is a valuation identical to v except that for every x G X, 
v{x) +6 = (v + 5)(x). ■ 
Given two states v, v' and a transition e, we say A transits with e from v to v' , in 
symbols v — v' , if v |= r(e), vn(e) = v' , and v' |= 77. Based on the above-presented 
notions, we are ready to define linear computations of TEAs. 

Definition 3. runs Given a TEA A = (£, X, G, L, I, 77, E, e, t,tt), a run is an infinite 
computation of A along which time diverges. Formally speaking, a run is an infinite 
sequence of state-time pairs (i>o, io)(^i 5 ^i) ■ ■ ■ (yk^ tk) such that 



• to^i . . . tfc is a monotonically increasing divergent real- number sequence, i.e., 

Vc e N, 3k > 1, t k > c; and 

• for all k > 0, for all <5 G [0, t k+1 - tk], v k + 6 (= H; and 

• for all k > 0, there is an e € E such that j/j. + tk+i — tk — —> Vk+i- B 



4 Implementation, simulation, refinement, and equivalence 

Suppose we are given two TEAs A\ and A 2 with Ai = (17, Xi, G, L^, Ij, iJj, Ei, e,-, r,, tt,}, 
1 < i < 2. Intuitively, A\ implements (or refines, or is simulated by) Ai if we can map 
every reachable state v\ of Ai to a reachable state v 2 of A 2 such that every externally 
observable that A\ can do at a specific time from v\, A 2 can also do it at the same 
instant from v<i , If A 2 can always direct its runs so that no difference in external 
behaviors of A\ and A\ will ever be observed, then we say A\ implements Ai. This is 
formalized with the following definition. 

We need the following notations for the convenience of discussion. Two transitions 
ei G E\ and ei G Ei are compatible if ei(ei) = £2(62) and \/p G G(-Ki[p) = iri(p)). Given 
an ei G E x , we let E^ 1 ^ = {ei \ ei G Ei;ei is compatible with e\.}. Given a G Va x , 
Pi, Pi G Va 2 , $ G M-°, and Q C x V"a 2 , stutter 2 (a, Pi, 5, P 2 ,Q) is true iff 

• Ai can go from /3i to Pi through a series of time-progression steps and discrete 
transition steps in E^; 

• the finite run from Pi to Pi is 8 time units long; and 

• for any < 5' < 8 and state P' G Va 2 that is 8' time units away from Pi in the 
run, (a + 8' , p') G Q also. 

Formally speaking, stutter 2 (a, Pi, 8, Pi, Q) is true iff there is a finite run 
(v ,%){vi,ti) . . . (9k, tk) of Ai and t k+ i > t k such that 

• ife+i - t = S A y5i = z/ A #2 = v h + t k +i - t k ; and 

• V0 < h < kV5 G [t h+ i - t h ], (ai +t h -t Q + 5, v h + 8) G Q; and 



V0 < h < k3e h+ i G E^-\v h + t h +i - t h v h+x . 



Definition 4. Implementation, simulation, and equivalence Suppose we are given 
two TEAs Ai and A 2 such that Ai = (E,Xi,G,Li,Ii,Hi,Ei,€i,Ti,i:i), 1 < i < 2, 
Li n Li = 0, and Xi fl A2 = 0. A simulation relation Q from Ai to ^2 is a binary 
relation from Va x to Va 2 with the following restriction. For every (vi, vi) G Q, vi and 
^2 agree on interpretation of variables in G and for every 8 G K-° and transition ei of 
£1 such that for all 5 G [0, <J], i^i + <5 Hi and z/i + <5 — z/j, there arc v' 2 G Va 2 and 
ei G £?2 sucn that stutter 2 (vi,v 2 ,8,v' 2 ,Q), v 2 — ^ v'^Ki\e.2) , and (i>'i,v 2 'K 2 (e 2 )) G Q. 
Or equivalently, (1/1,1*2) ^ Q if there is ei G i?i satisfying formula (A) in the following. 



38 g R- 



/ f 1/1 + 5 |= ri(ei) A (1/1 + 5) 7 r 1 (e 1 ) |= 
\A^30 < 5' < S(ui +5'\= -nHx) , 

(stutter(v-i,U2,8,v' 2 ,Q) ^ •■•(A) 

2 V A ((^i +5)7Ti(ei),^7r 2 (e2)) G 
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Note that formula (A) has the following structure: 36 £ R-°(B A -iC). Formula (B) 
says that A\ can do transition e\ at time S from v\. Formula (C) says that A2 can 
match ei with e2 at the same time from V2 through a run with transitions internal to 
A2- The quantification scope of 8 contains both (B) and (C) to make sure e\ and e2 
are matched at the same instant. 

Given simulation relation Q from A\ to A2, we denote Ai ^<q A2 if for every state 
v\ \= Ii, there is a i>2 \= I2 with (1/1, 1^2) £ Q- If ;<q ^2), we say implements 

(or refines, or is simulated by) A2, in symbols Ai ^ A2. Two TEAs A\ and A 2 are 
equivalent (i.e. bisimulate), in symbols Ai = A2, if Ai ^ A 2 and A2 ^ Ai. M 

Example 2. In example 1, Ai is not simulated by A2 since A\ can make a transition 
after 5 time units in state q = 1 while A2 cannot. I 
In a TEA, there could be some computation that does not yield divergent com- 
putation time. Specifically, a Zeno computation is an infinite run (vq, to) . . . {y^, tk) ■ ■ ■ 
such that its time sequence to ■ • • ifc • • • converges to a finite value. Zeno computations 
are counter-intuitive. A Zeno state is a state that only starts Zeno computations. The 
problem with Zeno states in simulation-checking is that A\ may stay in Zeno states 
that are not matched by any specified state of A2 . Intuitively, we want to check that A\ 
implements A2 from all non-Zeno states. We present the following definition to make 
this clear. 

Definition 5. Non-Zeno implementation and equivalence Let NZ\ be a representa- 
tion of the non-Zeno states in the reachable state-space of A\. An NZ-simulation Q 
from Ai to A2 is a binary relation from Va 1 to Va 2 that satisfies the following require- 
ment. For every (yi, V2) G Q, if A\ can do a transition e\ at 5 time units from v\ "to 
a non-ZENO state" u[, then A2 can also do a transition e2 £ E^ 1 ' after a finite run 
of 5 time units long with transitions internal to A2 to a state v' 2 such that (v[, v' 2 ) G Q. 
The only difference from definition 4 is th the bold-face phrase in the last sentence. 
The formal definition is left to appendix A due to page-limit. A\ N Z-implements (or 
NZ-refines, or is NZ- simulated by) A 2 , in symbols Ai -< NZ A 2 , if there is a non-Zeno 
simulation relation Q from A\ to A2 such that for every non-Zeno state v\ \= I\ A NZ\ , 
there is a V2 |= I2 such that (1^, ^2) £ Q- Two TEAs and A2 are NZ-equivalent (i.e. 
NZ-bisimulate), in symbols A x = wz A 2 , if A 2 and A 2 < NZ A x . ■ 

Example 3. In example 1, A2 is not simulated by A\ since A2 can yield infinite se- 
quences of the send events while A\ cannot. Such sequences are from Zeno states with 
X2's value converging to 5. In fact, A2 is NZ-simulatcd by A\. ■ 

5 Symbolic procedure for simulation-checking 

Formula (A) leads to a greatest fixpoint procedure for calculating a simulation relation 
from A\ to A2 if any. The idea is to first compute an initial image of Q and then 
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iteratively delete state pairs from Q with formula (A) until a fixpoint is reached. Please 
be reminded that formula (A) has the following structure: 36 £ M.-(B A ->C). In the 
following, we first present a scheme for the symbolic representation of Q. Then we 
discuss how to construct formulas (B) and (C) respectively out of Q. 



5.1 Symbolic representation of Q 

We define linear hybrid predicates (LH-predicates) to represent convex polyhcdra in 
dense space. An LH-prcdicate is a Boolean combination whose atoms are either 

• atomic proposition, like p, or 

• linear constraints like Ekkh ~ ^ where clock variables, 
ci, . . . , c„, d are integer constants, and '<~'G {<, <}. 

Let C( J 4 li yi 2 ) be the biggest constants used in A\ and A 2 . An LH-predicate is called a 
zone-predicate if its linear constraints arc like x\ — x 2 ~ d where x%, X2 are either zeros 
or clock variables and dsNn[0, C(Ai,a 2 )]- Clearly, zone-predicates are special cases of 
LH-predicates. In practice, such zone-predicates can be implemented with DBMs [10] or 
CRDs [19] while LH-predicates can be with convex polyhedra [12] or HRDs [20]. Given 
a (vi, ^2) £ Qi we require in definition 4 that v\ and v 2 agree on the interpretation of 
variables in G. Thus if we have LH-predicates 771 and 772 for v\ and vi respectively, we 
can use 771 A 772 to represent pairs like (v±, v 2 ) in Q. 

Example 4. Given G = {a},X\ — {a;i},ii = {&i},A2 = {2:2}, L2 = {^2}, we may have 
the following LH-prcdicate (also zone-predicate) (/q) for Q. 

(a A 61 A ^6 2 A < x\ A 3 < x 2 < 5 A x 2 ~ x x < 5) , . 

V (-ia A 2 < xi < 9 A 1 < x 2 An - x 2 < 8) ^ 

■ 

In the following, we propose procedures that manipulate LH-predicates to represent 
pairs like (1/1, 1^2). 



5.2 Basic building blocks 

One fundamental procedure is Fourier- Motzkin elimination [11]. Suppose we have a 
formula F of variables in set Y. In this work, Fourier-Motzkin elimination constructs 
3y(F) as a formula without y £ Y. For LH-predicates and zone-predicates, efficient 
implementation of Fourier-Motzkin elimination has been discussed in [14,19,20]. 

Example 5. For formula (/q) in example 4, 

-. , , x _ (61 A ^6 2 A < xi A 3 < x 2 < 5 A x 2 - x\ < 5) 
da ( jQ) — v (2 < Xi < 9 A 1 < X2 A xi — X2 < 8) 

And 3xi (/q) = (a A 61 A A 3 < x 2 < 5) V (-.a A 1 < .t 2 < 6). ■ 

We also need the following procedures to present our procedure. Given a symbolic 
representation 77 of v, the symbolic representation of v + 8 can be obtained by replacing 
each clock x in 77 with x + S [14]. 
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Example 6. For the (/q) in example 4, /q + 5 is the following. 

(a A bi A -i6 2 A0<xi+<5A3<x 2 + <5<5Ax 2 -xi<5) 
V (-10 A 2 < xi + S < 9 A 1< x 2 + S A x\ - x 2 < 8) 

Note that for constraints like Xi — X2 < 8, the positive and negative 5 respectively from 
xi and X2 cancel with each other. ■ 
Let path(?7i, 6) be the constraint that from now to 6 time units in the future, 771 is 
true, i.e., path^i, tf) = -i3$'((-iJ7i)+<J'A0 < <5'A<5' < (5). We can then define Tbck^',??) 
that computes the space representation of states 

• from which we can go to states in 77 simply by time-passage; and 

• every state in the time-passage also satisfies condition 77'. 
Tbck(?/, 77) can be constructed as 3t(t > A 77 + t A path(?/, £)) [14]. 

Given a partial assignment II of GiM\iM 2 { JXi\jX 2l we let r\II be the precondition 
to 77 before the assignment. Suppose H is defined for {j/i, . . . , y n }. 

Vn = (A x is a clock defined in 77. ^ > °) A 3 Vl ■ ■ ■ 3 Vn(V A Al<i< ra Vi = # (tfO) 

Given e\ € E\ and e 2 £ -E^ 1 ^ such that ei and e2 are compatible, the weakest precondi- 
tion to 77 through discrete transition pair (ei, e 2 ) can be represented as Xbck/ ei e2 \(r7) = 
ri(ei) A T 2 (e 2 ) A (»?(7ri(ei)7r 2 (e2))). 

With procedures Xbck( eiie2 )() and Tbck(), we can construct the symbolic back- 
ward reachability procedure, denoted Rbck„(x) (771, 772) for convenience, as in [14,19]. 

2 

Intuitively Rbck„(j_) (771, 772) characterizes the state-space for 3r]iUrj 2 through tran- 

2 

sitions in E^ ■ Computationally, Rbck„(_i_) (771, 772) is the least fixpoint solution of 

equation: Y = 772 V Tbck (rji, V e2e£; (- L ) xbc k(_L,e 2 )(^)) • Tnat is ' R bck B (xj (771, 772) = 

IfpY. (w 2 V Tbck (viiV e2eE W xbck (±,e 2 )(^))) ■ Now we need to construct a symbolic 
characterization of (i>\, v 2 ) for stutter(y\, v 2 , 6, v' 2 , Q) when v' 2 and Q are represented as 
formulas (f v i ) and Q respectively. We use an auxiliary clock z X\ U X 2 to measure 
the length of the stuttering run. Then, we have 

fstutter(S, f„> 2 , Q) = 3z(z = A Rbck B (_D (Q, z = 6 A f„>J) 

5.3 Construction of formula (B) 

We rewrite formula (B) in formula (A) as follows. 

v\ +5 h n(ei) A (i/i +5)7ri(ei) |= #1 A -30 < 5' < <5(>i + 5' |= -.ffi) (B) 

The first conjunct says that after S time units from state v\, A\ satisfies the triggering 
condition of transition e\. The second conjunct says that in this time-progression of 5 
time units, A\ always satisfies H\. The third conjunct says that at the end of the time- 
progression, A\ goes from V\ + 8 to (y\ + 5)7Ti(ei) and still satisfies Hi. The weakest 
characterization, i.e. formula (B), of v\ can be derived backward from H\ as follows. 
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XbcK, . ■://,: + 5) A pathi //,.^; (/s) 

It characterizes those states that can take transition e x at 8 time units away. The first 
conjunct corresponds to the first two conjuncts in formula (B) while the last one to the 
last one in (B). 



5.4 Construction of formula (C) 

We rewrite formula (C) as follows. 

I stutter 2 {v 1 ,V2,8,v' 2 ,Q) \ 

i/ 2 -2U i/ 2 7r 2 (e a ) \ (C) 

A (Oi +5)7ri(ei),^ 2 7r 2 (e 2 )) E QJ J 

The first conjunct in the outer quantification is for the measurement of the length, 5, of 
the stuttering run through transitions internal to A 2 . The second is for the execution 
of e 2 £ E% . Specifically, the quantified v' 2 is for the precondition of e 2 . Given a 
simulation relation representation Q, the constraint of v' 2 from the second conjunct is 
as follows. 

V. . Xbck, , . (Q) (/„,) 

To make sure that A\ and A 2 observe the same behavior with e\ and e 2 respectively, 
we construct the precondition of both e\ and e 2 out of Q instead of the representation 
of v 2 . Now with the formulations of j v i in the above and f stutter j v > , Q) in page 8, 
we find the following formulation for formula (C). 

3z(z = A Rbck B (x, (Q, z = S A \/ e2£E M Xbck (eii<sa) (C))) (fc) 



A 3e 2 e E, 



(ei 



5.5 Procedure 

With formulas (/s) and (/c), we find that formula (A) can be constructed as 
f A (ei,Q) = 35>0 



/ (Xbck( ei|X )(i?i) + 5) Apath.(^i?i,5) \ 



With formula /yi(ei,Q), we are now ready to present our procedure for simulation 
checking. The procedure is a greatest-fixpoint one. We start from Q = H± A i? 2 . Then 
we iteratively delete state pairs described in <2) for each ei € E\ until a fixpoint 

is reached. For convenience, we let FM_elm(F, {j/i, . . . , y„}) = 3y 1 3y 2 ■ ■ ■ 3y n (F). 



Simulation_Check(^i,^ 2 ) /* A* = {S,Xi,G,L l ,I 1 ,H 1 ,E l ,e l ,T i ,n l ), 1 < i < 2 */ { 

let Q :~ Hi A H 2 ; 0! := /afee; (F) 

while (Q ^ Q'), do { 

Q' := Q; 

for each e x £ J?i, <2 := Q A ->f A (ex, Q); 

if (ij ^ FM_clm(/i A J 2 A Q, L 2 U X 2 )) (J) 
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print "A± does not implement A2" and return false. 

} 

print 11 Ai implements A2" and return true. 

} 

We can start the greatest fixpoint image from Hi A H 2 at statement (F) because of 
the following lemma. 

Lemma 1. If A\ -< A%, then there is a Q such that A\ <q A2 and V^i,^) € 

Q(whffiAff 2 ). ■ 
In statement (J), we check whether all initial states of A\ is paired with some initial 
states of A2 in Q. The statement employs a technique called early decision of greatest 
fixpoint (EDGF) [21] and could significantly reduce the computation time of greatest 
fixpoint evaluation when no simulation relation exists. The following lemma establishes 
the correctness of our procedure. 

Lemma 2. When Simulation_Check(Ai, A2) halts, it returns true iff A\ -< A<x- M 
6 Algorithm with zone-technology 

When the initial condition, invariance condition, and transition triggering conditions 
of A\ and A 2 arc all presented as LH-predicates, we can prove that all operations 
in Simulation_Check(^4i , A 2 ) yield only LH-predicates. This is based on the following 
lemma and all our operations in Simulation_Check(Ai, A2) are based on the basic 
operations listed in the following lemma. 

Lemma 3. Given LH-predicates r\\ and r\2, Vi V r\2, ?7i + S, 3x(r]i) with x £ 

X\ U X 2 , and 3p(r/i) with p G G U L\ U L 2 are all LH-predicates. I 

However, the representation and manipulation of LH-predicates are usually less 
than efficient. In this section, we present techniques that allow us to implement proce- 
dure Simulaton_Check() with the zone-technology. The correctness of such techniques 
is based on theorem 10 in [18] which asserts that for any v\, u[ in the same region 2 of 
A\ and ^2, v' 2 in the same region of A2, (v\, V2) S Q iff (v' x , v' 2 ) £ Q. In the following, 
we carefully examine formula (/a) for operations that yield non-zone-prcdicates and 
discuss how to rewrite the the predicates to make it representable with zones. We find 
two classes of operations that create non-zone-predicates. We present techniques in 
subsections 6.1 and 6.2 to represent the results of such operations with zones. In sub- 
section 6.3, we combine the technques of the two subsections and reformulate procedure 
Simulation_Chcck() as an algorithm. 

Formulas (fg) and (fc) both use basic procedures Rbck (), TbckQ, and Xbck( ei e2 ) (), 
which arc in turn built upon Fourier-Motzkin elimination, Boolean operations, and 

2 A region is a smallest state-space that can be characterized with a zone. 
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"+S" operations of predicates. We let ZP C (X,P) be the set of all zone-predicates 
whose atoms are either atomic propositions in P or inequalities like x\ — x 2 ~ d 
where Xx,x 2 £lU {0}, '~'e {<, <}, and \d\ < c. According to the literature [14, 19], 
we find that given zone-predicates in ZPc {Al A ^ {X, P) as their arguments, all such 
basic procedures yield zone-predicates in ZPc {Al A2) (X,P). The challenge here is that 
some arguments in formulas (fs) and (fc) are not exactly zone-predicates. Our idea 
is to rearrange the arguments to those basic procedures so that they all appear as 
zone-predicates in ZPc {Ai A } (X, GUli UL2) for some X. 

After examining formulas (/s) and (/c), we find out that there are only two ways 
that we may yield non-zone-prcdicatcs. 

6.1 Time-progress operations in formulas (fs) and (fc) 

The first class of opcrtions happens when we execute the "+<5" operation in formula (fs) 
and when we call the "+t" and "+£'" operations in procedures Tbck() and Rbck (). 
In these cases, 5, t, t are not exactly clocks (i.e., their values do not change with time). 
Now we focus on the case of "+S." The other two cases for t, t' are similar. After 
operation "+#," we convert literals like x ~ c or —x ~ — d respectively to something 
like x + S ~ c and — x — S ~ —d which do not look like atomic constraints in zone- 
predicates. What we do is that we introduce a new dense variable '—5' and instead 
convert those literals to x — (—5) ~ c and (—6) — x ~ — d. In this way, given any 
argument in ZPc^ A Az) (X,P), the "+<5" operations (and "+<" and "+£'" operations) 
all yield zone-predicates in ZPc (A± A2) {X U {—5,—t,—t'},P). So we can establish the 
following lemma. 

Lemma 4. Given TEAs A\ and A 2 and n £ ZP C(Ai A ) (GUliU L 2 , X x U A 2 ), n + S 
and path(-.?7, <5) are 6oi/i in ZP C(Ai _ (G? U L x U i 2 , ^"l U X 2 U {-<5}). ■ 
Note that the correctness of this first conversion relies on the fact that we never do 
a double time-progression operation like (?/ + t) +t' in (Jb) and (fc)- 

6.2 Measuring time-progress with d and clock z in formula (fc) 

The second way that we may yield non-zone-predicate stems from equality z = 5 in 
formula (fc)- This equality is represented as zone-predicate z — 5 <0 /\5 — z <0. This 
could make trouble since when we apply the "+£" (or "+£'") operations in formula 
(fc), the literals are converted to z + f - 5 < and 5 — z — t < since 6 does not 
change its values with time progress. Such literals are certainly not zone-predicates. 
One observation from formula (/a) is that the quantification of z appears inside that 
of 6. Thus in the scope of processing z-related predicates in formula (fc), 8 is static and 
stays unchanged. Moreover, only the "+t" and "+t"' operations appear in formula (fc) 
while no "+<5" operation does. Thus our idea is to use auxiliary clock 'z — 6' instead 
of z. Note that clock 'z — 8' is special in that its value may be less than zero. Then 
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equality z = 8 is instead represented as (z — S) < OA — (z — 5) < and (z = 6) + 1 yields 
(z — S) — (—t) < A (— t) — (z — 5) < 0, which again falls in the syntax of zone-predicates. 

There is one technicality that we need to take care of after introducing auxiliary 
clock l z — <5.' In formula (/c), we need to evaluate 

3z(z = A Rbck s (_L) (S,z = i5A V e2eB C«D Xbck (ei , e!l) (g))) (K) 

With the explanation in the previous paragraph, we can prove the following lemma. 

Lemma 5. Given TEAs A x and A 2 and r] E ZP C(4 A . (G U L\ U L 2 ,X 1 U X 2 ), 
Rbck^x, fa, z = 5 A V e ^ E M Xbck (eije2) (r/)) is in ZPc^, (Xi UX 2 U {(z - 5)}, G U 
£iU£ 2 ). ■ 

With lemma 5, we can assume that formula Rbck ( j_) (Q, z = SA\J ( ei ) Xbck (e e ,)(Q)) 
yields a zone-predicate fm- Formula (K) can be evaluated as zone-predicates by replac- 
ing every occurrence of z in fm with 0. We can implement a procedure, replace^, z), 
that replace every occurrence of clock variable l z — <5' in zone-predicate rj with clock 
variable value '—5.' Thus 3(z = A /m) = replace^/, z). 



6.3 Implementing Simulation_Check() with zones 

Combining the techniques in the previous two subsections, we can establish the follow- 
ing three lemmas whose proof are omitted due to page- limit. 

Lemma 6. When A\ and A 2 are both TEAs, /a(si, Q) is equivalent to 

( Xbck (ei) _L)(JIi) + 6 Apath(-.i2i,£) 
36 - I A -replace(Rbck £; (_L) (Q, z - 6 = A V e2(E ^i) Xbck (ei)e2 )(Q)), z, 0) 

With lemmas 6, 4, and 5, the main result of this section is established as follows. 
Theorem 1. Simulation_Check(Ai, A 2 ) is implementable as an algorithm with zones. 



7 Algorithm for NZ-simulation checking 

In this section, we present the following lemma that helps us adapting procedure Sim- 
ulation_Check() for the checking of NZ-simulation. Please be reminded that in defini- 
tion 5, NZi denotes a representation of the non-Zeno states in the reachable state-space 
of A\. The construction of zone-predicates for NZ\ was discussed in [14,21]. 

Lemma 7. Given A, t = {S,X h G,L i ,I i ,H h E i ,e i ,T i ,'K i ), 1 < i < 2, if A 1 < NZ A 2) 
then A\ diQ Z A 2 for some Q such that for all [y\, v 2 ) E Q, v\ |= NZi. 
Proof : We assume there is {v\, v 2 ) G Q such that v\ is a Zeno state E Va x ■ According 
to definition 5, by deleting all such pairs from Q, we still get an NZ-simulation relation 
out of Q. Thus the lemma is proven. ■ 
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Lemma 7 leads to the following algorithm for NZ-simulation-checking. 



NZ-Simulation_Check(Ai, A 2 ) 

/* Ai = (S,Xi, G, Li, Ii, Hi, Ei, ei, ri, 7Ti), 1 <i<2 */ { 

Construct NZ X and let A[ be (£, X X ,G, L X ,I X A NZ X , NZ U E x , ei,ri,7ri). 
Return Simulation_Chcck(A' 1 , A 2 ). 

} 



8 Experiments 

We have implemented the techniques discussed in this manuscript in RED 7.0, a model- 
checker for TEAs and parametric safety analysis for LHAs based on CRD and HRD- 
technology [19,20]. We have experimented with the following parameterized bench- 
marks with various numbers of processes. A\ and A 2 differ in only one process. 

• Fischer's timed mutual exclusion algorithm [5]: The algorithm relics on a global 
lock and a local clock per process to control access to the critical section. Two 
timing constants used are 10 and 19. We use two versions of this benchmark, one 
with a simulation relation and one without. 

• CSMA/CD benchmark [22]: This is the ethernet bus arbitration protocol with the 
idea of collision-and-retry. The timing constants used are 26, 52, and 808. We use 
three versions of this benchmark, one with an NZ-simulation relation, one with a 
simulation relation, and one without. 

• Timed consumer /producer. There arc a buffer, some producers, and some consumers 
in the benchmark. The producers periodically write data to the buffer. The con- 
sumers also periodically wipe out data, if any, in the buffer. We use two versions 
of this benchmark, one with the biggest timing constant 15 and a simulation rela- 
tion while the other with the biggest timing constant 20 and without a simulation 
relation. 

The performance data is reported in table 1. For each row, we report the computation 
time for constructing NZ\ and the time for simulation-checking. The total memory 
consumption for the data-structures in state-space reprsentations is also reported. In 
this experiment, we did not run benchmarks with large concurrency sizes. But according 
to the grow-rates of the memory consumptions, we predict that benchmarks with larger 
concurrency sizes could be passed with our program. 

9 Conclusion 

In this work, we present a characterization of the simulation relation between TEAs 
and derive a symbolic simulation-checking procedure out of this characterization. We 
then present techniques to implement the algorithm with zone-technology. It would 
be interesting to see what classes of LHAs can be verified with zone-technology using 
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Table 1. Performance data of scalability w.r.t. various strategies 



benchmarks 


versions 


m 


time 


total 
time and 
memory 


non-Zeno 
restriction 


Simulation 
Check 


Fischer's 
mutual 
exclusion 
(m 

processes 
) 


Simulation 
exists. 


1 


0.01s 


0.00s 


0.01s/23k 


2 


0.31s 


0.43s 


0.74s/90k 


3 


1.27s 


2.30s 


3.57s/201k 


4 


4.24s 


8.27s 


12.51s/431k 


5 


12.98s 


26.84s 


39.82s/897k 


Simulation 
does not 
exist. 


1 


0.01s 


0.00s 


0.01s/22k 


2 


0.27s 


0.11s 


0.38s/88k 


3 


1.42s 


0.65s 


1.73s/190k 


4 


O.OoS 


l.yos 


r Ad - 1 C\CW 

5.46s/390k 


u 


1 A ftOn 

1U.DZS 


i .ZDS 




CSMA/CD 
(1 bus+ 
m senders 
) 


Simulation 
exists. 


1 


0.02s 


0.00s 


0.02s/44k 


2 


0.25s 


0.36s 


0.61s/161k 


3 


2.15s 


88.09s 


90.24s/3681k 


Only 
NZ-simulation 
exists. 


1 


0.18s 


0.03s 


0.21s/53k 


2 


1.12s 


2.10s 


2.73s/199k 


3 


5.90s 


122.0s 


127.9s/2447k 


No 
simulation 
exists. 


1 


0.03s 


0.01s 


0.04s/45k 


2 


0.26s 


0.90s 


1.16s/ 183k 


3 


2.28s 


25.82s 


28.10s/4365k 


Consumer & 
producer 
(1 buffer 
+ 1 producer 
+m consumers 
) 


Simulation 
exists. 


1 


0.07s 


0.00s 


0.07s/39k 


2 


0.24s 


0.03s 


0.27s/48k 


3 


0.62s 


0.05s 


0.67s/76k 


4 


2.01s 


0.08s 


2.09s/173k 


5 


6.51s 


0.21s 


6.72s/403k 


does not 
exist. 


1 


0.06s 


0.03s 


0.09s/52k 


2 


0.28s 


0.23s 


0.51s/61k 


3 


0.70s 


0.22s 


0.92s/104k 


4 


2.75s 


0.33s 


3.08s/245k 


5 


10.64s 


0.92s 


11.56s/590k 



data collected on a Pentium 4 1.7GHz with 380MB memory running LINUX; 
s: seconds; k: kilobytes of memory in data-structure; 



this technique. Our algorithm can also be adapted to handle the effect of Zeno states. 
Finally, our implementation and experiment shows the promise that our algorithm 
could be useful in practice in the future. 
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APPENDIX 



A Definition of non-Zeno simulation and equivalence 



Suppose we are given two TEAs A\ and A2 such that A4 = (S, Xi, G, Li, Ii, Hi, Ei, ti, Ti, ir 
1 < i < 2, and two states vi € Va x and V2 G Va 2 - Let NZ\ be a representation of the 
non-Zeno states in the reachable state-space of A\. An NZ- simulation Q from A\ to A2 
is a binary relation from Va 1 to Va 2 that satisfies the following requirement. For every 
(vi, V2) £ Q, v\ and 1*2 agrees on interpretation of variables in G and for every 8 £ R-° 
and transition ei of Ex such that for all 8 G [0, 5] , v\ + 8 \= Hi and V\ + <5 — ^ r/( , there 
are v' 2 G Va 2 and e 2 G i?2 sucn that stutter2(yx,V2,8,V2,Q), v'2 v 2^2( e 2), an d 
(y'i, 1^2^2(62)) G Q. Or in logic notations, 

V(i/i,i/ 2 ) G gVei G £iV<5 G 

A V0 < 8' < S h #i) 

A (i/i + i5)7r 1 (e 1 ) |= emnzi A -Hi 

(stutter{v 1 ,V2, 8, v> 2 , Q) 
A3e ^ 2 U((-i + 



f 2 7T2(e2) 

*)7ri(ei), ^7T 2 (c a )) G Q) j j 



If there is an NZ-simulation relation Q from A\ to A2 such that for every state v\ |= 1\ A 
iVZi, there is a ^2 (= ^2 such that (y\, V2) G Q, we denote A\ <q j4 2 . If 3Q(Ax <q A2), 
we say A\ implements (or is simulated by) A2, in symbols A\ < A2. Two TEAs A\ and 
A 2 are equivalent (i.e. bisimulate), in symbols Ax = A2, if ^ A2 and A2 ^ A\. ■ 



B Fourier-Motzkin elimination for the special case 

There are two cases to discuss. The first case is for calculating 3pi(f(px, . . . ,p m , Xx, ■ ■ ■ ,x. 
According to Shannon expansion, we have 

3pi(f(pi, ■ ■ ■ ,p m ,X!, . . . ,x n )) = 
/(false, . . . ,p m , xx,..., x n ) V f(true, . . . 

, Pra j XX, . . • , X n J 

The second case, for the calculation of 3xx(f(px, . . . ,p m , x\, . . . , x n )), can be handled 
with the following steps. 

(1) Rewriting f(p\, . . . ,p m , x\, . . . , x n ) in disjunctive normal form. 

(2) For each disjunct, 

(2.1) rewrite the linear constraints in one of the following three forms. 
TYPE I: J22<i<n a i x i ~ -axXx + d when ax > 0. 

TYPE II: £a<7<„ kxi ~' -61X1 - d' when b 1 < 0. 
TYPE III: E 2 < 1 <« c * x * ~ d when c i = °- 

(2.2) for each TYPE I constraint X^2<i<n aiXi ~ —axxx+d and TYPE II constraint 
^2 2 <i<n ^i x i ~' ~^\X\ — d' , conjunct the following constraint to the disjunct. 



i 



Y,2<i<n( a i\ b i\ + h\a\\xi ~" \bi\d+ \ai\d' 
where ~"= '<' if both <~= '<' and <~= '<'; and ~"= '<' otherwise. 
(2.3) delete every constraint with a non-zero coefficient for xi in the disjunct. 
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